Home / malware Backdoor:Win32/Floxif
First posted on 21 September 2017.
Source: MicrosoftAliases :
There are no other names known for Backdoor:Win32/Floxif.
Explanation :
This detection is related to the "trojanized" version of a third-party utility known as "CCleaner".
Installation
The threat is run whenever the trojanized version of CCleaner is run.
When run, the threat may store some binary information to the registry key HKLM\SOFTWARE\Piriform\Agomo:
Payload
Collects and steals information
When run, the malicious DLL payload embedded inside the binary may collect the following information:
- Computer name
- Computer DNS domain
- Computer IP address
- Installed and running processes
This information is encrypted and sent to the follow command and control (C2) address via a POST method:
- 216.126.225.148
Alternatively, it dynamically generates a C2 host address from the infected machine's current year and month settings.
Downloads and runs additional code
The threat can also receive a binary shellcode from its C2 server and run it. At the time of analysis the C2 server was not responding so we are unable to confirm what the binary shellcode includes.
Additional information
SHA1: C705C0B0210EBDA6A3301C6CA9C6091B2EE11D5B
Analysis by Jireh SanicoLast update 21 September 2017
